James R. Mirick sets the record straight on things he cares about

Trust, Fraud, and Email, Part 2

The e-mail address looks legitimate — sent from admin@irs.gov or tax-refunds@irs.gov. The logos and graphics look convincingly like the ones you'd find on the official IRS website. And there is an intriguing reason to click the link requesting your Social Security number and credit card information: a refund. But if you do, you'll see a maxed-out credit card or a stolen identity, not the $63.60 the e-mail claims.

The worst part of these frauds is that they are being run by gangs, not by individuals looking to erase your hard drive, so at this point there's the possibility of serious money here. Our money, unfortunately.

So, with roughly 60% of the email item traffic being spam or worse, is it likely that email will simply become so untrusted as to be useless, or just a closed messaging system among already-authenticated friends? Could be, but I hope not. Even subtracting spam, email is still the most often-used Internet service by all of us.

There are some solutions, including the dismal step of licensing servers (more about this in a later post). We could require emails to be digitally signed, but the infrastructure to support that would be expensive and cumbersome to maintain. Both of these raise (for Americans, anyway) significant first-amendment rights erosions and the possibility of political oversight and censure.

There is one very unobtrusive partial solution, called Sender Policy Framework, or SPF, which does not solve the whole problem but at least takes on part of it — preventing forged email headers. Forged headers are used in virtually all spams, and most phishing trolls, too, so defeating them is a huge blow to phishers and spammers. And its easy to do, I am currently in the process of implementing it for our domains here at work. A large number of the big email handlers (e.g. AOL and Yahoo!) have implemented the receiving-end of SPF and are therefore rejecting an additional 500-million fraudulent emails per day.

It's also likely that RSS (Really Simple Syndication) will become an alternative way, especially for companies who are communicating with customers — for example, subscribed newsletters, notices of sales, etc., all these things that the recipient has asked to receive. RSS appears as an "active link" in your bookmarks list, and it reminds you to go get something that has changed recently.

None of these is a perfect solution, but for now we at least have some tools to use against the fraudsters and hucksters that clog our pipes with tripe emails.